Is it secure to use the shop field from the session as a store identifier?

Looking at the demo, I noticed they’re directly using the shop field from the session as the store identifier. They’re even using this same shop field as the store identifier in the QR code table.

model QRCode {
  id               Int      @id @default(autoincrement())
  title            String
  shop             String
  productId        String
  productHandle    String
  productVariantId String
  destination      String
  scans            Int      @default(0)
  createdAt        DateTime @default(now())
}

// loader:
export async function loader({ request }) {
  const { admin, session } = await authenticate.admin(request);
  const qrCodes = await getQRCodes(session.shop, admin.graphql);

  return json({
    qrCodes,
  });
}

// db:
export async function getQRCodes(shop, graphql) {
  const qrCodes = await db.qRCode.findMany({
    where: { shop },
    orderBy: { id: "desc" },
  });

  if (qrCodes.length === 0) return [];

  return Promise.all(
    qrCodes.map((qrCode) => supplementQRCode(qrCode, graphql))
  );
}

I’m currently developing my own app and have completed some of the features. I’ve been using session.shop as the store identifier, but now I’m worried that this might not be the most reliable approach.

I’m wondering if it’s safe to use session.shop like in the demo. Is this shop field unique and tamper-proof for each store? Or should I be making GraphQL calls every time to fetch the shopId just to be on the safe side?

Hi Zwei,

I’ve checked with our product team and they’ve confirmed the shop field will be the myshopify domain for the store, so that is unique, and shouldn’t change. This means it’s safe to use, in the context that you’ve shown here.

2 Likes